FLIPSIDE: Cybercrime costs a business $3.8 million/year, study finds
In one example of how someone can profit off cybercrime with very little technical know-how, there is a business that pays people to abuse access to their employers' resources. For example, you might be instructed to insert a tiny piece of HTML code into your company's website in order to gain a commission for each person who is compromised by visiting the site. It's not your expertise that's important - it's your password to the Web server.
"You don't need to know anything," Savage said. "This is outsourcing taken to its logical conclusion."
Savage detailed a few of his team's projects that involved getting a bit more personal with the cybercrime underground. CCIED infiltrated the Storm botnet, which was going wild in 2007, with honeypots that "poisoned" 1% of the URLs being distributed inside the botnet.
"This potentially allows you to observe what is going on and influence their actions," Savage said. "We were able to measure delivery probability, click-through rate and conversion rate."
Through this type of work, they found that pharma scams need to send 12 million emails to gain one purchase, but can still earn millions of dollars a year.
The real question is, how do you stop all of this? One example related to CAPTCHA technology - the annoying thing that makes you type in a random string of letters and numbers - shows how economic research can make us safer on the Web.
It turns out that using character recognition software programs is less economically feasible than just paying humans to type in the letters and numbers, because companies that host websites periodically change their CAPTCHA system to fool the software. But humans don't even have to know English to solve CAPTCHAs. They just have to be able to recognize the characters.
You can pay for CAPTCHA entry the same way you pay for credit card and email credentials. But on the other end is a worker earning just $1 or even less for an eight-hour shift in which they enter 1,000 CAPTCHAs.
BROKEN: Researchers crack Microsoft, eBay, Yahoo, Digg audio captchas
Savage's team bought up lots of CAPTCHA recognition services to see how big the available capacity is. One provider had 400 or 500 people at work at any given time, with the whole industry solving millions of CAPTCHAs a day with cheap human labor.
This may make adding CAPTCHA technology to websites seem like a futile exercise. But it's just the opposite. Forcing criminal enterprises to pay for this service brings most of them to a tipping point where the whole enterprise is no longer economically feasible.
"If you don't have CAPTCHA, people with bad business plans can afford to exploit your resources," Savage said. "CAPTCHAs keep it to a small percentage of people who have good business models and can afford the cost."
By limiting the pool of criminals, this lets the computer defense industry put more resources into stopping a smaller amount of attacks.
But as anyone who has gotten a virus knows, it's not perfect.
No comments:
Post a Comment